The temptations inherent to the banking sector, and financial institutions more generally, pit them in an eternal and increasingly high-tech battle to secure themselves against threats from within and without. They also have a responsibility to protect their customers and their data from unauthorised access, and since bank branches are essentially businesses they are seeking ways to improve the customer experience in similar ways to the retail sector.
Addressing all these concerns requires a highly integrated approach that uses the cutting-edge of security technologies across the board. We asked IDEMIA, Cathexis Africa and CA Southern Africa how their companies’ particular areas of expertise are being leveraged in the financial sector.
“In recent years we have seen a significant shift amongst the world’s largest financial institutions, toward frictionless biometric technology, which is driven by several key factors,” comments Nicolas Garcia, regional director of sales at IDEMIA SA. These factors include security standards compliance and resultant audit pressures which have increased dramatically around the globe in recent years (for both physical and logical security). This has been driven in part by the large number of high-profile insider and outsider breaches/attacks seen in the past five years.
What’s more, the world’s major financial institutions are competing for both the best customers and the best employees. They are always looking for ways to attract top talent, and are
focusing heavily on workplaces that are high-tech, safe, and attractive to employees. Also, the access control technology is highly visible to any visitor entering the lobby, and plays a significant role in reinforcing the message of how serious the bank is about security.
In the workplace, the same frictionless technology regularly extends to time and attendance, cafeteria payments, gym access, parking and other services. This feeds into IDEMIA’s ‘augmented identity’ concept, central to which is the idea that leveraging our identity must be not only a secure process, but also natural and convenient. This extends well beyond traditional access control and security applications into other areas such as eKYC, voting systems, civil ID programmes, border control and passenger facilitation, amongst others.
“IDEMIA’s facial recognition and analytics solutions provide an additional layer of security designed to complement traditional access points by extending the reach of security well beyond the physical doors and barriers. By fusing detection and tracking of persons or objects with accurate facial recognition algorithms, a powerful early warning system and investigative tool provides for much higher ROI (return on investment) of the customer’s existing surveillance infrastructure,” Garcia says. The technology can provide alerts based on any number of watch-lists for a variety of purposes ranging from detecting known bank robbers to identifying VIP customers.
IDEMIA’s biometric technology plays a key role in providing better security to both banks and their customers. Biometrics can be used to verify the identity of a customer when opening a bank account and/or to detect if that same customer has previously existed in the system under a different name. That biometric technology is also integrated into ATMs and branch teller solutions around the world to provide secure authentication of customers.
IDEMIA also offers a secure bank card with embedded fingerprint sensor, known as FCode. This allows a customer to scan their fingerprint directly on their banking card to authorise a transaction, instead of relying on a traditional PIN or signature.
“More major banks and credit providers are now integrating IDEMIA’s biometric technology into the payment experience,” Garcia states. “Secure payments using biometrics bring an important combination of both increased convenience and security at the same time. The expectations of today’s typical banking customer are very different than 10 or 20 years ago.
“Today’s customer grew up with a different level of technology accessibility and most are already completely comfortable using biometrics on their phone for a wide variety of authentication use cases including payments. Today’s customer expects that same capability to extend beyond their phone and into the retail space, whether at a shopping mall, concert or train station.”
Making use of video analytics
Video management software (VMS) specialist, Cathexis Technologies, works with various entities within the financial sector. While its involvement has extended to the likes of institutions like the London Stock Exchange, the biggest component is the banks and their branches, according to Cathexis Africa’s managing director, Gus Brecher.
Integration is a big factor in the banking sector, says Brecher: “We have quite a lot of banking customers and in that sector we do a lot of integration with their fire systems, alarm panels and access control. Depending on the bank, many of them like to have a central monitoring
capability, so they’ve got a hybrid scenario where they’ve got distributed recordings on site, a centralised monitoring facility for alarms, and the ability to view and store video off-site on request.”
Over and above access control systems deployed in the back-office areas, Brecher says banks are increasingly making use of video analytics. One way this can be used is to notify a branch manager if someone has entered the customer service area and not been served within a certain period of time, to enable the branch to improve its customer service levels. People counting can also be used to gain more insight into people’s comings and goings.
Analytics algorithms that identify loitering behaviour are also deployed outside banks and at ATMs. “We’ve also done some ATM integration where the standalone ATMs have small recording devices in them which can be correlated with the ATM transactions. However, because of privacy issues addressed by the likes of the PoPI (Protection of Personal Information) Act and GDPR (General Data Protection Regulation), this is typically limited to details like the time and type of a transaction, rather than details about the person performing the transaction,” Brecher says.
Cybersecurity must not be ignored
Whether crime is committed with a crowbar or a computer, the number one motivator for an attacker is greed, points out Gregory Dellas, security presales at CA Southern Africa. “It is for this reason that banking and financial institutions face the most persistent threat from the world’s assorted cybercriminals. While data has value and can be breached and sold off, it is the systems that handle the criminal’s true goal – money – that make the best targets,” he states.
According to SABRIC, 16 296 incidents were reported from January 2018 to August 2018 with losses amounting to more than R183 million for the banking industry. This is a 64,3% increase i
n the number of incidents over the same period in the previous year. On a wider scale, in the PwC 2018 Global Economic Crime and Fraud Survey, South Africa ranked number 1 globally for companies having experienced some form of economic crime, with a whopping 77% of all South African organisations being affected.
The largest increases in the sector were seen in insurance, consumer lending and retail investing. A contributing factor in this trend is the assumption that the established enterprises are the most at risk, when in fact, new entities including cloud-based services and digital banks are also highly targeted. Young organisations seeking to grow quickly and build security later make up the majority of these reported breaches.
Awareness versus alertness
“Awareness of these facts is an important step towards strong security but it is not enough,” Dellas insists. “The attacker is alert, prepared and 100% focused when exploiting systems. The staff of a financial services firm may be security aware but they are acting on routine, are distracted and not anticipating, for example, a potentially fateful social engineering phone call.
“This alertness shortfall can only be overcome with the right tools and a wide safety net strategy. Singapore based DBS bank provides a good case study, where a newly implemented CA Technologies automated identity and access management platform reduced risk of fraud, increased efficiency and improved customer satisfaction.”
Additional layers of defence include tools that manage privileged credentials which are the equivalent of the vault keys in a physical bank. Intelligent risk-based authentication can fill in the alertness gap should attackers gain access to systems or possession of employee credentials; they can be blocked based on thousands of hours of behavioural profiling.
“Many financial institutions are benefiting from benchmarking themselves against peer companies such as DBS. One good industry forum that helps address cybersecurity risk is the Financial Services Information Sharing and Analysis Centre (FS-ISAC). They conduct frequent cyber-range exercises and publish recommendations. Another excellent initiative is the Financial Data Exchange which seeks to create a common standard for data sharing across the financial industry.
“Reaching out to peers and partners familiar with the cutting edge of cybersecurity is an important step in boosting overall security posture. By continually adding additional layers of security, be they tools, processes or collaborative initiatives, best practices will ultimately keep financial institutions safe and secure,” Dellas concludes.